This Was The Xbox Problem. Here Is The Solution.

No one ever thinks they will be the victim of a phishing scam or account hacking until it finally happens to them. A hacked Xbox LIVE account is an inconvenience at the very least, but how bad can it get and what should you do if you’re a victim? Read more to find out.

Andy Bates is a QA engineer from San Jose, California. On July 22, 2011, he made his first phone call to Xbox support after discovering that two unauthorised purchases totaling $US124.95 had been made using his account. He provided the support staff with his details and was told that his account would be suspended for 21 days to ensure that no other fraudulent activity could occur while they investigated the hacking.

Eighteen days later, Bates received an email from Xbox notifying him that his LIVE Gold 12-month subscription had been automatically renewed.

“This annoyed me,” Bates says. “It should have also tipped me off that something was wrong. If my account had really been suspended, it should not have auto-renewed.”

Two days later, Bates called Xbox support again. A day away from the end of the 21-day investigation, the status of his case was “still being investigated.”

The Letter

On February 7 the General Manager of Xbox LIVE, Alex Garden, wrote a letter for all Xbox LIVE users. In this letter he detailed the new security measures that the service was putting in place to protect LIVE accounts, which included an important line that said hacked accounts could be returned to owners as soon as three days after an investigation is opened.

For many people, perhaps with the exception of Andy Bates, this letter seemed like a mere formality, not a response to a real problem — after all, 2011 was the year of the PlayStation Network hackings after hackers gained access to the information of an estimated 70 million PSN accounts — Xbox LIVE’s problems paled in comparison.

But a pale problem is still a problem. The extent of hacked Xbox LIVE accounts may not have spilled into the millions, but it was more widespread than most believed. Most people were aware of the FIFA-related Xbox LIVE attacks, but beyond that many other accounts were being compromised on a regular basis.

The Problem

While we cannot put a figure on the number of Xbox LIVE accounts hacked in 2011, a thread about Xbox LIVE account hackings on the popular gaming forum NeoGAF had no problem drawing hundreds of responses from victims within days of being posted. The problem wasn’t simply that these accounts had been compromised, it was Xbox’s poor handling of the cases.

Victims were told that their accounts would be suspended anywhere from 21 to 27 days while the accounts underwent investigation, but many of these investigations far exceeded the time frame and were often inconclusive.

Many of the posts went as such: account hacked in September 2011, still not resolved by mid-November; account hacked early October, still not resolved by mid-November, account hacked in June, still no resolution, compensation or remuneration from Microsoft, account hacked mid-July, still no remuneration by November; account hacked in August, still nothing from Microsoft at the time of writing. While there were cases where Microsoft resolved the problem in a timely manner, it was evident that many customers were left hanging and dissatisfied.

The Problem That Got Worse

Twenty-seven days since his first call to Xbox support — a whole week after his case was meant to have been resolved — Andy Bates called Xbox support again. He was informed that his case had been closed… with no resolution. When Bates asked why it had been closed, he was told that they had lost or misfiled information, so there wasn’t enough information to investigate the fraud.

Bates says: “The rest of the conversation went something like this:

‘Me: I don’t understand why you would close the investigation if you didn’t have enough information to resolve it.

Xbox: We did resolve it: we resolved it as Not Enough Information.

Me: Why didn’t you leave it open until you could get more information from me?

Xbox: We didn’t have a way to get a hold of you.

Me: Well, you have my email address on file, why didn’t you email me?

Xbox: Since your account had been compromised, that email could have been compromised too.

Me: But I provided you with an alternate email address specifically so you could get a hold of me!

Xbox: We didn’t have that information.’”

Bates says he was told that he would have to wait another 21 days for the case to be resolved.

In September Bates’ friends notifiy him that his account has been seen logging onto Xbox LIVE to play games, even though Bates is locked out and the account is supposedly suspended. By mid-September, Bates’ account is returned to him — without any information on the findings of the investigation. He is promised a refund of the credits used by hackers back in July, but he finds that additional games were bought with his account while it was suspended and his entire Friends list has been wiped. In fact, his purchase history shows that games were still being bought during the months of August and September.

“So I call them and they escalate my complaints to a supervisor,” he says.

“This is how she dealt with the issues: ‘I am very sorry, I apologise. No, I can’t recover your Friends list, no I don’t know why your account wasn’t locked, sorry I can’t forward you to my manager – there is no one above me, this is escalated as far as it can go.”

Two months later, Bates still doesn’t receive his credit refund and calls again, at which point he is told that his refund will come soon.

“So that’s the story,” Bates tells Kotaku AU.

“I am amazed at the repeated incompetence at dealing with customer issues, the lost data, and the failure to lock my account, and the complete unwillingness to provide any free credits to make up for it.”

The Solution

Bates’ story is not a common one, but it does highlight the inconsistent way in which Microsoft handled hacking cases. Some people have had their accounts returned to them — refunds and all — within 21 days with no problems whatsoever. Others have had their cases dragged out for months. This is why Xbox LIVE’s recent letter to its users is significant and should not be ignored.

In his letter, Alex Garden urges Xbox LIVE users to take extra care to safeguard their accounts from attacks, such as setting difficult passwords, routinely changing them, using a valid email and unique password for each service signed up for, and reducing the amount of personal information shared online.

Additional security measures that Xbox LIVE has put in place to prevent hackings include implementing CAPTCHA, an industry-standard anti-scripting measure designed so that an actual human has to answer the question, and account lock-outs for those who try and fail multiple times at logging in.

The 21-day investigation period that caused Xbox LIVE users so many headaches has also been reduced.

Garden writes:

“Recovering compromised accounts — in a timely manner — is also a priority and an area where we’ve made and will continue to make improvements.

“We have invested more resources in our account recovery process and as a result, for most new fraud cases we are now able to investigate and return accounts within three days.

“For users who had added extra strong proofs to their accounts, this may be as fast as 24-hours.”

Garden writes that some cases might still take longer, the boost in resources aims to dramatically reduce the waiting period.

Long live LIVE

If you suspect that your Xbox LIVE account may have been compromised, check bank statements to see if any transactions have gone through and call your bank and Xbox Support immediately to prevent further transactions from taking place. The number for Xbox Support for Australians is 1800-555-741.

Time will tell whether Xbox LIVE’s new security and investigation measures will improve the way Microsoft handles hacked accounts. While the hacked accounts of yesteryear may have had to put up with an inconsistent system, hopefully cases like Andy Bates’ will be a thing of the past.

Comments

To me, this strikes me as significantly worse than the PSN hacks. When they were hacked, the network was shut down, and they offered everyone free games to try and make up for it. But in this case, they're punishing users who have been hacked by locking them out of online play for weeks, and then not resolving it properly. It's shocking and really badly handled.

When the PSN was hacked, their actual infrastructure was compromised. All the details of people that were stored on their servers became known to the hackers.

In this case, Microsoft itself has not been compromised, but people have been, through a combination of reusing passwords and information, combined with brute force measures.

Yes, it has been terribly handled, but you can only blame Microsoft for the fact that they had a lax security system for repeated attempts at logging in, and how appallingly they've handled the response.

I had my account hacked while I was playing Gears 3 on September 23 still waiting for my account back along with the £100 they spent migrating my gamertag to Russia. I have had to buy my own 3 month subscrition after my first month ran out I have had such a bad experience with over 20 calls to Microsoft and now I am about to take legal proceedings with my credit card company. As of today 10-02-2012 I have never recieved an e-mail from Microsoft I cannot believe how bad they treat their customers and to put the record straight I am a 41 year old gamer and have never given my details out my account was hacked through EA.

My account was hacked in December is a similar manner. I called up Microsoft, they locked my account to prevent any more unauthorised access. Next day, both my Xbox Live and Windows Live accounts were stolen from me, with the login emails changed to ones I didn't recognise. I called up MS again, they say it's normal for the emails to be changed... I didn't believe them, but I let them continue their investigation.

And then, about 2 weeks ago, I get a call saying I have my account back... Which I didn't, I explained this and the fact the emails were changed. She checked it out, said while it is normal for the emails to be changed during an investigation, they weren't changed to something they use. So another month before I get a 'resolution'.

I remember reading that there was no increase in fraud post psn attack whereas the xbox problem is defined by increasing reports of fraud and theft. PSN had a higher profile because sony reacted by tearing down a broken system and fixing it. MS kept a low profile by denying it was their fault and then sneaking in new security measures.

Are these purchases coming out of XBL points you've already bought? Or coming off your credit card? If they're coming off your credit card then I'd call your credit card company and get them to reverse the transactions. Sounds like it'd be a hell of a lot quicker than getting any joy out of MS, judging by this article.

I had the FIFA hack happen to me about a month ago. I contacted customer support over the phone and they told me an investigation may take up to a month. I'm a university student and decided to make the most of my holidays by chipping away at my pile of shame as well as a bit of online with friends so having access to my account blocked wasn't an attractive option. My issue with that was that my xbox live profile hadn't fallen into the hands of these fraudsters, it was my EA account that had been compromised. I also had under a thousand points on my account making it useless to anyone trying the FIFA hack. Anyways, getting to my point... When I read the statement from Alex Garden I decided to test his word and sent him an email describing my scenario and why I thought blocking access to my account was just adding insult to injury. He quickly responded (less than 24 hours) and said he'd refer me to one of the support members which he did and I received another email in the next 24 hours. This email stated that they were going to look into my account and try and find a solution. Last night I was up to roughly 3 am (forever alone) playing custom Halo 3 matches. Wake up this morning (afternoon) to find an email saying an investigation into my account was complete. They sent me a code for my points as well as a month of gold for the hassle of having my account blocked. I applaud Microsoft on the way they have handled my case, I still think this is a bit of a band-aid approach and the loophole needs to be dealt with immediately but all in all it's a vast improvement over the horrible stories I've heard over the last few months.

That.. .that is NOT a solution to the hacking problem. That's a "solution" to the Xbox support problem.
And seriously, supervisor is as high as problems and positions go in support?? Doesn't she report to someone or has she got complete authority over this department with no accountability to anyone at Microsoft??? 0___o

If I were her, I'd be kicking up a big stink at why supposedly suspended accounts aren't suspended. That's like your credit card provider suspending your CC only to then find out that its still being used to make purchases :S

BTW, CAPTCHA is a pretty poor defense, given there's programs and even companies who hire people to solve them for next-to-nothing. I agree with Lachlan in saying that Id be more annoyed with Microsoft than Sony (and remember, the legit owners are being locked out, yet the hackers are still freely using the supposed suspended account)

Captcha IS a solution to part of the hacking problem. It will make brute forcing methods via scripts impossible, all that's left is social engineering and phishing, which nobody has a solution to as of yet.

I'm pretty sure I've already said something to this effect, but it amazes me the double standards people have with regards to Sony and Microsoft.

Microsoft has the worst customer service under the sun, bordering on negligent. They have a rather large spread and ongoing issue with account security. They are, in some cases lying to customers and/or misleading them, and for the most part, the general feeling towards Microsoft is still pretty good.

Sony gets hacked, the world turns on them overnight, and they spend the next year being the butt of bad jokes, despite every effort to recompense customers with free games, free playstation plus, personal and heartfelt apologies from Kazuo Hirai and other high powered Sony execs.

Now to clarify, damn right Sony should have done all they did. They screwed up. Yet somehow, no one seems to harbour any bad feelings towards Microsoft despite their continuing failures in security and customer service. Where's the rage for Microsoft? Where's all the cynicism, bile and hatred?

Before anyone decides to call 'Sony fanboi', I own a 360 (have done for about 4 years, this is my second unit) and a PS3, as well as other Sony and Nintendo products.

I think it's because people have been bagging on Microsoft alot for quite a while, so it's nothing new. There hasn't been anything to rag on Sony for, so the hacking incident was a chance for people to have a go at Sony. Well that's how I see it anyway.

I think that's part of it, to a degree. But the other example is Steam - when they got hacked not too long ago. User info was stolen, and I heard talk of CC details possibly being compromised. Although it was the Steam forums, so that doesn't sound right. But that's already been forgotten. Now I'm not saying people should be hating Steam, or Microsoft, it's just curious they don't.

I think part of the problem was that Sony already had put a lot of people offside with things like the removal of Linux (although the number of outraged people seemed significatly larger than the number of people who actually used Linux on PS3), then coming down hard on those who hacked the PS3's security, etc.

So those people were already ranting and raving against Sony, and the hack just gave them ammunition.

Not long ago I had the credit-card attached to my account cancelled, I couldn't remove it from my account without attaching another one AND I couldn't turn auto-renew off(didn't know you had to call them, and I though that was dumb anyway).
Cut to a few months later and they're trying to renew my account, I thought after the 3rd attempt they'd give up and drop me to a free account. NOPE!
They renewed my account, suspended it so I couldn't even connect online at all and then sent me letters demanding the money.
Xbox support basically told me this: "You could've cancelled your account before we renewed your account" But that would've required me to know that this was going to happen, then when I asked if they could cancel it they said I'd have to buy the 12 month subscription THEN cancel that, and no refunds. It took two months for my suspension to finish and to revert to a free account.

Seriously? I didn't know it worked that way. So did you end up paying so you could cancel? Aren't there shorter subs than 12 months? Like just a 1 month to get you back long enough to cancel your sub? Either way, I'd be on the phone to consumer affairs if I were you, because that sounds very dodgy indeed.

Once someones been into your account once, if you have a Credit Card attached to your account, they will have access forever. They will simply look at your account settings once theyre in your account the first time and write down your credit card details, then all they have to do is reset your password with your billing information and no amount of password or email changes will solve it. And no, removing your credit card from your account after the fact wont solve the problem, because it will still count as your billing history.

I ended up just waiting them out, wasn't going to pay them a cent just to cancel my subscription.
After the suspension my subscription was dropped back to a free account so I could at least log on and see my friendslist again.
I was more than willing to continue my subscription with them but I was out of cash at the time it would've renewed so I was planning to wait until I had some spare cash and renew the account myself but after all this I doubt I'll renew it at all.

You guys aren't looking at this logically, I'm sure I'd be pissed as hell if this happened to me, but it hasn't, so I'm just a third-party giving a neutral opinion without any bias.

But if you look at this, it's a very grey area simply because everything is electronic and not face to face. There are so many possibilities that you really only have two options, just comply with the user who has the details of the account immediately, or do a thorough check. I'm sure we all know which one most companies would choose.

The main issue here lies in identification, it can hard to identify somebody as who they are CLAIMING to be based purely on electronic information that they have gathered. Now normally, you could do it by asking for details, but when the account has/could of been PHISHED, doesn't the attacker also have those details? Who are Microsoft talking to.....? How do they know that this isn't the phisher trying to solidify his control over the account? Or a user who heard about this so called 'xbox live hack' and decided to buy and download the content, use it, claim he was hacked and then get it refunded?

It hasn't happened to me, but the issue I have is with the investigations and when they turn up as inconclusive or something.

If this were to happen to me, contacting MS I could lodge a case, I could quote all the details within my profile and I could give them my console Serial/ID number which is completely unique and almost acts as like a security code on the back of a CC.

They could use that last bit of info to verify my past transactions with the account. Hackers/Phishers wouldn't be able to have this, unless they actually stole the XBOX.

All those transactions would be logged with a whole stack of info, mainly IP, ISP, Country, etc... Now when Joe Phisher somehow gets my account, logs into my profile and buys a FIFA pack or MS funbucks, I would bet 99% of times it would be from another country, there is a different IP address and console Serial/ID. I can't fathom how this isn't checked first and resolved within the week, let alone over 3-4 and then only find out there "isn't enough information".

The FIFA hack was just plain old phishing and social engineering. It was done in apparently one of two ways, you were either phished in one way or another (Mine seems to be from the SW:TOR beta) or the fraudster used social engineering to get your password from EA. Nothing to do with easy passwords in any way shape or form, however if you were silly enough to use the same email and password for Xbox live and your EA account then you'd quite possibly loose your Xbox live account as well. On another note this is purely in relation to the FIFA hack and not the xbox.com hack which was as you said in relation to weak passwords.

I still find it amusing that when the PSN hacks occurred, a lot of people were mocking Sony by saying "That's what you get when you don't pay for your online connectivity. You pay for your Gold status account on XBox 360, so we are better protected."

As it turns out, just because you pay for a service, it doesn't always mean anything in terms of better protection and response to having your account hacked. After a year of hearing about major organisations that should have been better protected being hacked and having customer details stolen, hopefully people will have learned to be more vigilant and not to blindly think that just because it's a big corporation, it doesn't mean you can be lax about personal security.

as oppsed to that small underdog sony? They were using a severly dated apache server. Phishing for information is far different then a SQL venerability that had been patched far in advance. The xbl stuff was enduser error the psn was straight up non upgraded software on their end. I love how people act as if Sony the conglomerate is some sort of underdog. Sony as a cooperation is just as bad if not worse as the EVIL micro$oft.

ok, so no solution? Another troll sony fan boi strokathon?
I had my account phished 8 or so months ago, it sucked, but I came to read this with some alternative solution and all I got was. lulzorz? Kotaku the video game industry's FOX.

Triple AAA games nailing the brief. Indie games surprising people out of nowhere, and expansions and patches that completely turn a game around. It's been a good year for games - now it's time for you to vote for your favourite.